[Dshield] RE: (Dshield) port 1433 -- additional information

Toney, Mark mtoney at sodexhoUSA.com
Tue May 21 14:52:00 GMT 2002


     Additional info from incidents.org
     (http://www.incidents.org/diary/diary.php?id=156):
     
     "MSSQL Worm (sqlsnake) on the rise
     ================================================================
     (Preliminary)
     
     Starting yesterday, the Internet Storm Center detected a sudden
     increase in hosts scanning for port 1433, which is commonly used 
     by Microsoft's SQL Server. A number of exploits are known for 
     this service. It is also known that many administrators do not 
     set a password for the 'SA' account. This administrator account 
     can be used to log on to the SQL server, execute arbitrary SQL 
     commands. Using these commands, the user can read and write 
     files, as well as execute code.
     
     While we are still collecting all the pieces, some exploit code 
     has been captured indicating that this is a self propagating 
     worm.
     
     Aside from a number of other functions, the worm will email a 
     password list to ixltd at postone.com. As of this morning, the quota 
     of this account is exceeded."
     
     
     ______________________________ Reply Separator 
     _________________________________
     Subject: (Dshield) port 1433
     Author:  "Johannes Ullrich" <SMTP:jullrich at sans.org> at BUFFALO 
     Date:    5/20/2002 9:58 PM
     
     
     Just a quick heads up to the list that I think something is 
     brewing with port 1433 (mssql). More later...
     
     --
     --------------------------------------------------------------- 
     jullrich at sans.org             Collaborative Intrusion Detection 
     join http://www.dshield.org
     
_______________________________________________ 
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see: 
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list